Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 3 subscribers
  • Views 11653 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSTP / PPTP on our server

Mateusz Bender

I've just started using Sophos, and basic functionality works.

Unfortunately I'm having issues enabling outside access to our PPTP / SSTP server. UTM doesn't have SSTP at all, and the PPTP requires the use of local users (we already have everything set up via AD on our VPN server).

My first instinct was to try and use DNAT, but it seems this isn't working. The initial packet seems to go through fine, but the connection cannot be established, in the end.

The VPN server has an internal DNS "srv-vpn-p01" with IP 10.150.1.11. I've tried creating the following DNAT rules:
Any->PPTP->public IP
Destination translation: srv-vpn-p01

The above is for the PPTP. I've also tried the same for SSTP (setting it up as a simple service using port 443).

Turning on logging for those DNAT rules, I get the following in the Firewall logs:

15:22:34     NAT rule #1     TCP           62.21.53.132     :     52483    →     91.227.197.59     :     1723    [SYN]     len=52     ttl=122     tos=0x00     srcmac=4c:5e:0c:c8:e0:07     dstmac=00:1a:8c:44:af:5d

Where NAT rule #1 is the auto-generated firewall rule based off the DNAT rule.

What am I missing?



This thread was automatically locked due to age.
  • 0 in reply to Mateusz Bender

    OK, it seems to be working now.

    I must have been doing something wrong yesterday. Perhaps stress and tiredness got to me.

    Anyway, thanks a lot for the help! I'll mark the most likely suggestion as the answer.

     

    PS. With a DNAT rule I guess it effectively prevents us from using the user portal on the same port, correct? I don't suppose DNAT can use host names to route the requests (i.e. portal.rcrm.pl:443 == portal, vpn.rcrm.pl:443 == our VPN over DNAT)?

  • 0 in reply to Mateusz Bender

    Hi Mateusz, 

    Thanks for the update. UTM listens to User portal on port 443. Hence, that needs to be changed if a DNAT is defined on the duplicate port to tell the UTM to stop listening for User Portal on 443. 

    I would request you to start a new thread as we follow a simple rule of one question per thread which makes it easier to find a solution.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Thanks again.

    I apologise for the side question. I've already found someone else having a similar problem (i.e. putting SSTP on one IP, hopefully with other HTTPS services available as well) and "bumped" that thread. Perhaps something will come of it.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML